Aaron Brazell has posted that a certain WP plugin has a vulnerability. The plugin has been fixed and a new release is here. I commented over there twice and asked what I consider to be two fair questions. I was subscribed to the comments so returned when some were made. This comment sticks out:

These plugins can be very dangerous. I think the WordPress culture is to install as many plugins as possible without doing a ton of research.

The guy that said that runs a WP blog. He also runs K2 and from what I know of K2 it has a fair share of javascript in it. That js will be perfectly safe because it’s been written by guys who know their stuff – but I’ll bet that 99% of users of that theme do not know js that well. But they do not need to because they trust the authors. A lot of people trust plugin authors because they don’t know PHP. I pointed out that statement above in #wordpress and someone said they broadly agreed. Fair enough – it was a coder who broadly agreed. So what we have is two people who know code saying plugins can be dangerous. I think that’s a bad thing to say without quantifying it.

  • What is dangerous ?
  • Is there a bad combination ?
  • What should we not mix ?
  • How can we tell what is good and what is bad ?
  • Can we test these plugins to find out ?
  • Who should we trust and how do we know we can trust them ?
  • How much research is enough ?
  • Should we not ever use plugins ?
  • Is it a permissions problem every time ?
  • What is “Best Practice” ?
  • Which plugins do you think are bad ? Why ? Have your changed yours if you use it ?

The reason the above is important is because making blanket statements is not helpful. Another reason is that people doing support for the product will be on the receiving end of the “Are they dangerous ?” questions. It is they who spend the time helping and it is they who should be armed with the knowledge to advise and even try to make the situation better.

So for those coders who think that “These plugins can be very dangerous” here’s a challenge: Answer at least all of my questions above. Write it so forum helpers and others can use the knowledge positively. Write it to show you know. Write it to benefit WordPress. Improve the culture. Blog it.


I had a bazillion entries in an error log today – and they are usually very small files. A “412 Precondition” error occurs which then sets off 4 more error entries. So a lot of 412 * 4 is a lot of lines. From what I’ve read, Bad-Behaviour can cause 412 (but I could be wrong) so I’ve switched that off for 24 hours – I don’t think SK2 will break into a sweat.

New! Database Backup plugin

Skippy has just released what has to be an essential plugin – Database backup. Given that if the host’s server went boom your files and replaceable but your posts and comments are not, you need this. Very easy install and very easy to use. No messing in phpMyAdmin, no cron jobs, just an efficient way to keep your data safe – and you do want that don’t you ?